Hardware wallet firm LEDGER is responding to a recent security vulnerability in its products that was exposed earlier this month.
On December 14th, Ledger announced that one of its employees fell victim to a phishing attack that allowed a bad actor to publish a malicious version of the Ledger Connect Kit, affecting users who connected to decentralized applications (DApps).
After the exploit, Tether, the largest stablecoin issuer in the world, the attacker’s USDT address, preventing much of the funds from being moved further.
statement on the social media platform X, Ledger says it’s aware of about $600,000 in assets that were impacted, and says it’s committed to making victimized users whole and preventing anything similar from happening again.
“We commit, by any way possible, including gestures of goodwill, to make sure this is done by the end of February 2024. We are already in contact with many impacted users and are actively working through the specifics with them.
We remind users that if you signed a transaction on affected DApps December 14th, 2023, best security practices would recommend revoking any authorized transactions to further reduce impact from the malicious code.”
Ledger says it’s also going to disable the option to blind-sign transactions in the future. Typically, users must “sign” transactions before allowing a smart contract to interact with their wallets, and blind signing allows them to skip the process, which is what Ledger aims to prohibit for its users.
“Front-end attacks have happened many times before and will continue to plague our ecosystem. The only foolproof countermeasure for this type of attack is to always verify what you consent to on your device.”
